https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> how can i force 2fa auth on updatin...
# ory-copilot
g
@chilly-king-10285 how can i force 2fa auth on updating password or unlinking totp in ory self hosted
c
A message from kapa.ai
To enforce multi-factor authentication (MFA) for account settings in a self-hosted Ory Kratos instance, you need to adjust the configuration file. Specifically, you need to set 
required_aal
to 
highest_available
under 
selfservice.flows.settings
and 
session.whoami
in the configuration file. This will force users to provide the highest authentication factor to access their account settings. Here is an example of how to set this in the configuration file:
Copy code
yaml selfservice:     flows:       settings:         required_aal: highest_available   session:     whoami:       required_aal: highest_available
This configuration forces users to provide the highest authentication factor to access their account settings. For example, users without a second factor configured can access the settings after they sign in with their password. Users that have a second factor set up (such as a TOTP app) will must complete the second factor challenge to access account settings. If you want all users that configured a second factor to complete the factor before using your app, set 
session.whoami.required_aal
to 
highest_available
. Please note that this configuration will affect all users, not just those that recover their accounts. If you enable this setting, all users must provide their second authentication to adjust profile settings. For more details, you can refer to the [Ory documentation](https://www.ory.sh/docs/kratos/self-hosted/mfa#enforce-mfa).
g
@chilly-king-10285 what of on every update alone
c
A message from kapa.ai
To enforce multi-factor authentication (MFA) for every update in a self-hosted Ory Kratos instance, you need to adjust the configuration file. Specifically, you need to set 
required_aal
to 
highest_available
under 
selfservice.flows.settings
in the configuration file. This will force users to provide the highest authentication factor to access their account settings. Here is an example of how to set this in the configuration file:
Copy code
yaml selfservice:     flows:       settings:         required_aal: highest_available
This configuration forces users to provide the highest authentication factor to access their account settings. For example, users without a second factor configured can access the settings after they sign in with their password. Users that have a second factor set up (such as a TOTP app) will must complete the second factor challenge to access account settings. For more details, you can refer to the [Ory documentation](https://www.ory.sh/docs/kratos/self-hosted/mfa#enforce-mfa).
4 Views
Open in Slack
PreviousNext
Powered by